Multilevel Access Control for Ubiquitous Environments Jehan Wickramasuriya & Nalini Venkatasubramanian Dept. of Information & Computer Science University of California, Irvine Irvine, CA 92697-3425, USA {jwickram,nalini@ics.uci.edu} Abstract— This paper presents a domain-based approach to access control in distributed environments with mobile objects and nodes. We utilize a slightly different notion of an object’s ’view’, by linking its context to the state information available to it for access control purposes. In this work, we tackle the problem of hiding sensitive information in insecure environments by providing objects in the system a view of their state information, and subsequently managing this view. Combining access control requirements and multilevel security with mobile and contextual requirements of active objects allow us to re-evaluate security considerations for mobile objects. We present a middleware- based architecture for providing access control in such an environment and view-sensitive mechanisms for protection of resources while both objects and hosts are mobile. We also examine issues with delegation and revocation. Performance issues are discussed in supporting these solutions, as well as an initial prototype implementation and accompanying results. I. I NTRODUCTION Security is a critical issue in mobile environments where computational entities (e.g. agents), devices and resources can be easy targets of attacks. With the rapid growth in wireless networks and mobile agent applications, security mechanisms are needed to prevent service and content providers as well as unauthorized personnel from gaining access to sensitive data and resources on mobile client devices. This paper deals with one particular aspect of security, that of access control in the presence of mobile hosts and objects. Our work considers two types of mobility; object mobility and node mobility. Object mobility concerns the movement of individual objects between nodes in the network. These objects may be dynamically created within a node and migrate from node to node within the network, possibly carrying sensitive state information. Node mobility refers to the physical movement of mobile hosts (e.g. laptop, PDA etc.) in a distributed environment. The concept of object and node mobility is similar to the notion of logical and physical mobility, introduced by Roman et. al [18] and Cardelli et. al (virtual and physical mobility) [7]. Seamless execution of secure applications in the presence of object and node mobility introduces challenges in managing mobility, maintaining concurrency and providing secure access to resources. Firstly, mobile devices have resource limitations in terms of battery power, memory and storage. Secondly, mobile hosts are subject to disconnections and varying network availability; access control mechanisms must be capable of dynamically ”re-evaluating” access rights when a disconnected node rejoins at a different point in the wireless network. Thirdly, applications will need to execute seamlessly in the presence of changing access rights. Traditionally, when an application operating on secure content moves between se- curity domains, it may need to be restarted after the user has determined what content to hide (or restore). One possible solution is to encrypt information as objects/nodes traverse through insecure environments. On mobile devices where resources (e.g. residual power,memory) are at a premium, encryption-based techniques to facilitate data hiding are pro- hibitively expensive. In this paper we explore a middleware based approach where mobility management services at the object and node levels capture and store sensitive information before it reaches the insecure environment. Since not all state information may be accessible to an object at any point in time, a trusted repository is utilized to store sensitive information that needs to be hidden from an object. This approach is analogous to firewall-based approaches to corporate security since we ’filter’ out sensitive information at the object level. To model varying security levels, we adopt a multilevel security (MLS) approach [3] to facilitate sharing of data in a safe manner without the danger of ’leaking’ sensitive data to unauthorized users. In the MLS approach, entities are associ- ated with different security classifications which are then used to regulate access to various resources (i.e. objects) resident on both fixed and mobile nodes. In addition, we introduce the notion of the view of an object as the local representation of its state in its current security context. An object’s view changes as it moves in and out of environments with varying security levels. Using the above concepts this paper develops techniques for information hiding which utilizes multilevel security specifically taking into account the mobile nature of both objects and hosts. architecture. This paper is organized as follows; Section 2 describes our object representation and a meta-level architecture for access control. In Section 3 we introduce the concept of domain-based access control and develop techniques for view management of objects and nodes that move through varying security domains. Section 4 examines issues relating to delegation and revocation of rights in our framework. In Section 5, we analyze the performance of the proposed view management techniques under various